Plugin to force fixed version

[jogielis]

I'm working on a plugin to allow overriding dependency versions.

The requirements that should be overridden are given by a source (path, git, ...) that points to a simple TOML-file describing a list of requirements with specific versions.
The plugin will then compare those with specified dependencies in the project and override if needed.

The part where the plugin is actually updating versions:

(snippet of the actual code)

...
# assume for now the source:
fixed_specifiers: Dict[str, SpecifierSet] = {}
...
def fix_versions(project: Project, dry_run: bool):
    for group, deps in project.all_dependencies.items():
        for name, requirement in deps.items():
            specifier = fixed_specifiers.get(name)
            if specifier and requirement.specifier != specifier:
                project.core.ui.echo(f"[info] Updating {name} {requirement.specifier} -> {specifier}", verbosity=Verbosity.NORMAL)
                requirement.specifier = specifier
                project.add_dependencies({name: requirement}, show_message=False)
                actions.do_lock(project)
                actions.do_sync(project, selection=GroupSelection(project, default=True, dev=None, groups=[]))

class FixedVersions(BaseCommand):
    """ Check for fixed versions """

    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
        dry_run_option.add_to_parser(parser)

    def handle(self, project: Project, options: argparse.Namespace) -> None:
        # project.core.ui.echo(f"{_get_current_branch()}", verbosity=Verbosity.NORMAL)
        fix_versions(project, dry_run=options.dry_run)

is

1. add_dependencies
2. do_lock
3. do_sync

The best way to tackle this?

And I should probably look at the lock file instead? Since that will actually contain all dependencies, and I will not be able to catch them all by just looking at the pyproject.toml file.

1. check dependencies in lock file
2. update project file (by using add_dependencies ?)
3. do_lock
4. do_sync
   ?